ci: restore security hardening to GitHub Actions workflows#29
Open
phillip-wenig-frequenz wants to merge 1 commit into
Open
ci: restore security hardening to GitHub Actions workflows#29phillip-wenig-frequenz wants to merge 1 commit into
phillip-wenig-frequenz wants to merge 1 commit into
Conversation
phillip-wenig-frequenz
requested review from
llucax,
shsms and
simonvoelcker
and removed request for
a team
github-actions
Bot
added
part:docs
phillip-wenig-frequenz
requested review from
Copilot
and removed request for
simonvoelcker
Restore security measures that were accidentally removed:
- Add workflow-level `permissions: contents: read` to restrict default token access
- Hash-pin all GitHub Actions to prevent supply chain attacks
- Restore `python -I` isolation flag on Python invocations to prevent code execution
- Use `ubuntu-slim` runner on gate/aggregation and release jobs
- Add `permissions: {}` to jobs that only aggregate matrix results
- Implement safe bash array pattern for `$ALIASES` to prevent shell injection
- Use proper quoting and array expansion for shell variables and options
- Restore `python -Im` module invocations for frequenz.repo.config CLI
Signed-off-by: Phillip Wenig <phillip.wenig@frequenz.com>
phillip-wenig-frequenz
force-pushed
the
revert-workflow
branch
from
35d7676 to
429ed5c
Compare
There was a problem hiding this comment.
Pull request overview
Restores CI workflow security hardening that was previously removed, focusing on least-privilege GITHUB_TOKEN permissions, supply-chain protection via hash-pinned actions, and safer execution of Python/mike and shell handling in release/docs steps.
Changes:
- Re-added workflow-level
permissions: contents: readand tightened permissions for gate/aggregation jobs. - Hash-pinned GitHub Actions and restored isolated-mode Python invocations (
python -I/python -Im), plus safer bash array handling for aliases and release options. - Documented the tooling/security hardening restoration in
RELEASE_NOTES.md.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
RELEASE_NOTES.md |
Adds a release note entry describing the workflow security hardening restoration. |
.github/workflows/ci.yaml |
Restores hardened defaults (permissions, runner choice for gate jobs), pins actions by SHA, and hardens docs/release shell & Python invocation. |
.github/workflows/ci-pr.yaml |
Applies the same hardened defaults (permissions, action pinning, isolated-mode mike invocation) to PR CI. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
271
to
273
| - name: Setup Python | ||
| uses: frequenz-floss/gh-action-setup-python-with-deps@v1.0.4 | ||
| uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2 | ||
| with: |
Contributor
There was a problem hiding this comment.
This is fine, dependabot will take care of it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restores the security hardening to CI workflows that was accidentally removed in #17, as tracked in #27.
permissions: contents: readto bothci.yamlandci-pr.yaml@vX.Ytags with@<sha> # vX.Y) to prevent supply chain attackspython -Iisolated mode on all Python/mike invocations to prevent arbitrary code execution from checked-out sourcespermissions: {}andubuntu-slimrunner on gate/aggregation jobs (nox-all,test-installation-all) that only check matrix resultsubuntu-slimrunner oncreate-github-release$ALIASESin the mike deploy step to prevent shell injection"$REF_NAME"and safeextra_optsarray in the GitHub release creation steppython -Im(isolated module) calls forfrequenz.repo.configCLI invocationsCloses #27.